[c-nsp] IP sec tunnel , two IPs same interface

Jessup, Toby Toby.Jessup at qwest.com
Fri Aug 19 19:38:49 EDT 2005


Another solution is to eliminate IPsec entirely and just run plain-old
GRE over the Internet. But only crazy people would ever do that ....

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marcus Keane
Sent: Friday, August 19, 2005 4:22 PM
To: Ashe Canvar
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] IP sec tunnel , two IPs same interface


Ashe, 

As Luan has already suggested, use tunnel protection not crypto maps.
You can then source one tunnel from the primary and another from the
secondary. ISAKMP will just follow this. The command is "tunnel
protection ipsec profile myprofile" on the tunnel interface. Marcus

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ashe Canvar
Sent: Saturday, 20 August 2005 1:32 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] IP sec tunnel , two IPs same interface

Thanks all you guys . Here is the exact config :

!
interface Tunnel41
 description tunnel to vpnrt2.nyc
 ip address 10.17.1.17 255.255.255.252
 ip mtu 1420
 ip tcp adjust-mss 1300
 ip ospf cost 15000
 ip ospf hello-interval 2
 tunnel source AAA.AAAA.209.250
 tunnel destination BBB.BBB.217.250
 tunnel path-mtu-discovery
 crypto map VPN
!
interface FastEthernet0/0.100
 description tunnel endpoint
 encapsulation isl 100
 ip address AAA.BBB.209.250 255.255.255.0 secondary
 ip address YYY.XXX.158.4 255.255.255.128
 no ip redirects
 no ip proxy-arp
 no snmp trap link-status
 crypto map VPN
!

So the problem is that even though the " tunnel source AAA.AAAA.209.250"
command is enabled on the tunnel41 interface, it picks up the
"YYY.XXX.158.4" ip to initiate isakmp. This is not what I want because I
PBR the AAA.AAAA.209.250 IP and want the tunnel to take that specific
path.

vpnrt1.sjc#sho crypto isakmp sa 
...
BBB.BBB.217.250 XXX.YYY.158.4    MM_KEY_EXCH       3807    0
...

Here are my responses to the suggestions so far:

1. You can't terminate Tunnels on loopback interfaces because the crypto
map has to be applied to the incoming interface ( have tried that ).

2. Both IPs are in the same VLAN ( limitation of the architecture) so
making 2 dot1q sub interfaces in different vlans is not fesiable.

However, Can i have 2 sub-interfaces in the same dot1q or isl vlan ?

3. Derek, it would be awesome if you could dig up the global command.
But still the issue is that i want to terminate some tunnels on
AAA.BBB.209.250 and others on  YYY.XXX.158.4.


Thanks again,
Regards,
-ansh



On 8/19/05, Antonio Querubin <tony at aloha.net> wrote:
> On Thu, 18 Aug 2005, Ashe Canvar wrote:
> 
> > I need to terminate an GRE/IPsec tunnel on a router with only 2 
> > ethernet interfaces. The inside interface has rfc1918 address and
the
> > external interface has a routable IP. The problem is that I want to 
> > add a second IP to this interface to terminate a different tunnel 
> > (this IP is from a different ISP).
> >
> > I have tried doing a secondary IP on the same interface but this
does
> > not work. "sho cry isakamp sa" always shows the connection attempt 
> > being made from the primary ip.
> >
> > Any way around this ? Can i make two sub interfaces be in th same
vlan
> > and terminate the VPN on these instead of using the secondary ips ?
> 
> Have you considered using multiple loopback interfaces for the tunnel 
> endpoint?
>

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list